Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Table of Contents
- 1. Introduction
- 2. Before you begin
- 3. Architecture and design overview
- 4. Public interfaces
- 4.1. Semantics and syntax of APIs
- 4.2. Semantics and syntax of the WSDL
- 4.3. Semantics and syntax of non-WSDL protocols
- 4.4. Framework-level Protocols
- 4.5. Command-line tools
- 4.6. Overview of Graphical User Interfaces
- 4.7. Semantics and syntax of domain-specific interface
- 4.8. Configuration interface
- 4.9. Environment variable interface
- 5. Usage scenarios
- 6. Tutorials
- 7. Debugging
- 8. Troubleshooting
- 9. Related Documentation
This component contains mainly framework level code and as such developing services and clients utilizing this component does in general involve either programmatically or declaratively driving the framework level security code. Now, what does this entail? On the programmatic side of things it involves acquiring credentials, passing these credentials on to the framework and setting various authentication and protection related flags, either in a descriptor or as properties on a stub object. On the declarative side it involves setting up security descriptors, both client and service side, to prescribe the security policy used to drive the security framework code.
Features new in GT 4.1.1
None.
Other Supported Features
- Compliance with published IBM/Microsoft WS-Trust and WS-SecureConversation specifications
- Compliance with the Web Services Security 1.0 standard
- HTTPS support
- Message encryption, integrity protection and replay attack prevention
- Establishment of a session key for light-weight message protection
Deprecated Features
- GT 3.2 SecureConversation protocol
WS Authentication and Authorization Message & Transport Level Security should work on any platform that supports J2SE 1.3.1 or higher.
Tested Platforms for WS Authentication and Authorization Message & Transport Level Security
- Linux (Red Hat 7.3)
- Windows 2000
- Solaris 9
WS Authentication and Authorization Message & Transport Level Security depends on the following GT components:
- The C implementation depends on C WS Core.
- The Java implementation depends on Java WS Core.
WS Authentication and Authorization Message & Transport Level Security depends on the following 3rd party software:
- Apache WSFX Security Libraries
- PureTLS Libraries
- BouncyCastle JCE provider
- Cryptix Libraries
- Apache XML Security Libraries
The Java security code currently does not enforce secure permissions and, implicitly, file ownership requirements on any of the security related files, e.g. configuration and credential files. It is thus important that administrators ensure that the relevant files have correct permissions and ownership. Permissions should generally be as restrictive as possible, i.e. private keys should be readable only by the file owner and other files should be writable by owner only, and the files should generally be owned by the globus user (the requirements that the C code enforces are documented in Section 8, “Configuration interface”).
Also refer to Section 5, “Known Problems” for details on any other open issues.
The toolkit by default is deployed with our implementation of transport security, which is based on HTTP over SSL, also known as HTTPS, with modifications to path validation to enable X.509 Proxy Certificate support. In contrast to the GT3 version of the toolkit, the default transport security enabled in the toolkit does not support delegation of proxy certificates as part of the security handshake.
However the underlying security libraries and handlers required for secure transport with delegation, also known as HTTPG, is still supported and shipped as a part of the CoG library. The GT4 Java WS code base and configuration can be modified to use the HTTPG protocol is required.
Transport security is implemented by layering on top of the GSISocket class provided in JGlobus. This class deals with the security related aspects of connection establishment as well as message protection. The socket interface serves as a abstraction layer that allows the HTTP protocol handling code to be unaware of the underlying security properties of the connection.
Container-level credentials are required and, irrespective of security settings on the service being accessed, these credentials are used for handshake.
On the server side transport security is enabled by simply switching a non-secure socket implementation with the GSISocket implementation. In addition to this change some code was added to propagate authentication information and message protection settings to the relevant security handlers, in particular the authorization and security policy handlers.
On the client side transport security is similarly enabled by switching a non-secure socket implementation with the GSISocket implementation and registering a protocol handler for HTTPS that uses the secure socket implementation. In practice this means that any messages targeted at a HTTPS endpoint will, irregardless of any stub properties, be authenticated and protected. It also means that any messages sent to a HTTP endpoint will not be secured, again irregardless of any stub properties. Stub properties are only used to communicate the desired message protection level, i.e. either integrity only or integrity and privacy.
This section aims to describe the message flow and processing that occurs for a security-enabled service. The figure below shows the JAX-RPC handlers that are involved in security related message processing on a server.
GT4 provides two mechanisms, GSI Secure Conversation and GSI Secure Message security, for authentication and secure communication.
In the GSI Secure Conversation approach the client establishes a context with the server before sending any data. This context serves to authenticate the client identity to the server and to establish a shared secret using a collocated GSI Secure Conversation Service. Once the context establishment is complete the client can securely invoke an operation on the service by signing or encrypting outgoing messages using the shared secret captured in the context.
The GSI Secure Message approach differs in that no context is established before invoking an operation. The client simply uses existing keying material, such as an X509 End Entity Certificate, to secure messages and authenticate itself to the service.
Securing of messages in the GSI Secure Conversation approach, i.e. using a shared secret, requires less computational effort than using existing keying material in the GSI Secure Message approach. This allows the client to trade off the extra step of establishing a context to enable more computationally efficient messages protection once that context has been established.
When a message arrives from the client the SOAP engine invokes several security related handlers.
The first of these handlers, the WS-Security handler, searches the message for any WS-Security headers. From these headers it extracts any keying material, which can be either in the form of an X509 certificate and associated certificate chain or a reference to a previously established secure conversation session. It also checks any signatures and/or decrypts elements in the SOAP body. The handler then populates a peer JAAS subject object with principals and any associated keying material whose veracity was ascertained during the signature checking or decryption step.
The next handler that gets invoked, the security policy handler, checks that incoming messages fulfill any security requirements the service may have. These requirements are specified, on a per-operation basis, as part of a security descriptor during service deployment. The security policy handler will also identify the correct JAAS subject to associate with the current thread of execution. Generally this means choosing between the peer subject populated by the WS-Security handler, the subject associated with the hosting environment and the subject associated with the service itself. The actual association is done by the pivot handler, a non-security handler not shown in the figure that handles the details of delivering the message to the service.
The security policy handler is followed by an authorization handler. This handler verifies that the principal established by the WS-Security handler is authorized to invoke the service. The type of authorization that is performed is specified as part of a deployment descriptor. More information can be found in there authorization framework documentation.
Once the message has passed the authorization handler it is finally handed off to the actual service for processing (discounting any non security related handlers, which are outside the scope of this document). Replies from the service back to the client are processed by two outbound handlers: the GSI Secure Conversation message handler and the GSI Secure Message handler. The GSI Secure Conversation message handler deals with encrypting and signing messages using a previously established security context, whereas the GSI Secure Message handler deals with messages by signing or encrypting the messages using X509 certificates. The operations that are actually performed depend on the message properties associated with the message by the inbound handlers, i.e. outbound messages will have the same security attributes as inbound messages. That being said, a service has the option of modifying the message properties if so desired. These handlers are identical to the client side handlers described in the following section.
This section describes the security related message processing for Java-based GT4 clients. In contrast to the server side, where security is specified via deployment descriptors, client side security configuration is handled by the application. This means that a client side application has to explicitly pass information to the client side handlers on what type of security to use. This is also true for the case of services acting as clients. The below figure shows the JAX-RPC handlers that are involved in security related message processing on a server.
The client side application can specify the use of either the GSI Secure Conversation security approach or the GSI Secure Message security approach. It does this by setting a per message property that is processed by the client side security handlers.
There are three outbound client side security handlers:
The secure conversation service handler is only operational if GSI Secure Conversation mode is in use. It establishes a security session with a secure conversation service collocated with the service with which the client aims to communicate. When the client sends the initial message to the service with a property indicating that session based security is required, this handler intercepts the message and establishes a security session. It will also authorize the service by comparing the service's principal/subject obtained during session establishment with a value provided by the client application. Once the session has been established the handler passes on the original message for further processing.
The next handler in the chain, the secure message handler, is only operational if GSI Secure Message mode is in use. It signs and/or encrypts messages using X.509 credentials.
The third outbound handler is operational only if GSI Secure Conversation mode is in use. It handles signing and/or encryption of messages using a security session established by the first handler.
The client side inbound handler (the WS-Security client handler) deals with verifying and decrypting any signed and/or encrypted incoming messages. In the case of GSI Secure Message operation it will also authorize the remote side in a similar fashion to the outbound secure conversation service handler.
The security programming model differs between the client and server side. The client side model is programmatic in nature, i.e. security related code is driven by making actual function calls, whereas the server side model is declarative, i.e. security related settings are declared in a security descriptor. For more information on the available client side calls see Section 7, “Semantics and syntax of domain-specific interface”. More information about the security descriptor can be found in Java WS Security Descriptor Framework .
Stable interfaces:
- org.globus.wsrf.security.Constants
- org.globus.wsrf.security.SecureResource
- org.globus.wsrf.security.SecurityManager
- org.globus.wsrf.security.SecurityException
Less stable interfaces:
- org.globus.wsrf.impl.security.descriptor.ClientSecurityDescriptor
- org.globus.wsrf.impl.security.descriptor.ResourceSecurityDescriptor
Documentation for these interfaces can be found here.
This service provides a mechanism for generating a security session, i.e the negotiation of a shared secret which may be used to secure a set of subsequent messages. It is based on the WS-Trust and WS-SecureConversation specifications.
RequestSecurityToken: This operation initiates a new security session negotiation. Furthermore, since the actual schema for this message is not unambiguously defined by the specifications, this is the actual schema used:
<xs:element name='RequestSecurityToken'>
<xs:complexType name='RequestSecurityTokenType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element>
<xs:element name='RequestSecurityTokenResponse'>
<xs:complexType name='RequestSecurityTokenResponseType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element>RequestSecurityTokenResponse: This operation continues a security session negotiation. Furthermore, since the actual schema for this message is not unambiguously defined by the specifications, this is the actual schema used:
<xs:element name='RequestSecurityTokenResponse'>
<xs:complexType name='RequestSecurityTokenResponseType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element>
<xs:element name='RequestSecurityTokenResponse'>
<xs:complexType name='RequestSecurityTokenResponseType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'
minOccurs="0"/>
<xs:element ref='wsc:SecurityContextToken'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element> In the above the second RequestSecurityTokenResponse element refers
to the final message in the exchange.
Both RequestSecurityToken and RequestSecurityTokenResponse throw
the following faults:
ValueTypeNotSupportedFault: This fault indicates that the value type attribute on the binary exchange token element is not supported by the service.EncodingTypeNotSupportedFault: This fault indicates that the encoding type attribute on the binary exchange token element is not supported by the service.RequestTypeNotSupportedFault: This fault indicates that the request type specified in the request type element is not supported by the serviceTokenTypeNotSupportedFault: This fault indicates that the token type specified in the token type element is not supported by the service.MalformedMessageFault: This fault indicates that the message content received by the service does not conform to the expected content. This is necessary since the schema does not give a well defined content model.BinaryExchangeFault: This fault indicates that a failure occurred during the in the underlying security constant responsible for the session negotiation.InvalidContextIdFault: This fault indicates that the context id passed in the message is not valid within the context of this service or negotiation.
- WS-Trust WSDL
- WS-Trust XSD
- WS-SecureConversation XSD
- Secure Conversation WSDL [link]
The framework implements the Web Services Security: SOAP Message Security, Web Services Security: Username Token Profile and Web Services Security: X.509 Token Profile specifications.
The transport security solution used by the framework consists of HTTP over SSL/TLS (HTTPS) using X.509 certificates. The path validation step has been augmented to support the Proxy Certificate Profile (RFC3820).
The framework implements the Web Services Security: SOAP Message Security, Web Services Security: Username Token Profile and Web Services Security: X.509 Token Profile specifications.
The transport security solution used by the framework consists of HTTP over SSL/TLS (HTTPS) using X.509 certificates. The path validation step has been augmented to support the Proxy Certificate Profile (RFC3820).
Client side security is set up by either setting individual properties on the javax.xml.rpc.Stub object used for the web service method invocation or by setting properties on a client side security descriptor object, which in turn is propagated to client side security handlers by making it available as a stub object property. Here are examples for the two approaches:
Setting property on the stub:
// Create endpoint reference EndpointReferenceType endpoint = new EndpointReferenceType(); // Set address of service String counterAddr = "http://localhost:8080/wsrf/services/CounterService"; // Get handle to port CounterPortType port = locator.getCounterPortTypePort(endpoint); // set client authorization to self ((Stub)port)._setProperty(Constants.AUTHORIZATION, SelfAuthorization.getInstance());Setting properties using a client descriptor:
// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; // Create endpoint reference EndpointReferenceType endpoint = new EndpointReferenceType(); // Set address of service String counterAddr = "http://localhost:8080/wsrf/services/CounterService"; // Get handle to port CounterPortType port = locator.getCounterPortTypePort(endpoint); //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);
The descriptor file is described in detail in Section 1, “Security Descriptors Introduction”.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
If the client needs to use transport security, the following API must be used to register the Axis transport handler for "https":
import org.globus.axis.util.Util;
static {
Util.registerTransport();
}
|
Table 1. Client side security properties
| Number | Task | Stub Configuration | Descriptor Configuration |
| 1. | Allows for configuration of credentials for authentication. |
Property: org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS Value equals the Instance of | |
| 2. | Allows for configuring client side authorization. |
Property: org.globus.wsrf.security.Constants.AUTHORIZATION Value equals the Instance of
If GSI Secure Transport or GSI Secure Conversation is used the value should be an instance of | Refer to Section 4.1.2.2, “Configuring authorization mechanism ” |
| 3. | Enable GSI Secure Conversation with specified message protection level. |
Property: org.globus.wsrf.security.Constants.GSI_SEC_CONV Values equal one of the following:
Furthermore, you can set the SOAP Actor of the GSI signed/encrypted
SOAP message by using the | Refer Section 4.1.2.3, “Configuring GSI Secure Conversation ”. |
| 4. | Sets the GSI delegation mode. Used for GSI Secure Conversation only. If limited or full delegation is chosen, then some form of client side authorization needs to be done (i.e client side authorization cannot be set to none). |
Property: org.globus.axis.gsi.GSIConstants.GSI_MODE Value equals one of following:
|
Refer Section 4.1.2.3, “Configuring GSI Secure Conversation ” |
| 5. | Enables GSI Secure Transport with some protection level. |
Property: org.globus.gsi.GSIConstants.GSI_TRANSPORT Values equal one of the following:
| |
| 6. | Enables anonymous authentication. This option only applies to GSI Secure Conversation and GSI Transport. |
Property: org.globus.wsrf.security.Constants.GSI_ANONYMOUS Value equals one of following:
|
Refer Section 4.1.2.3, “Configuring GSI Secure Conversation ” abd Section 4.1.2.5, “Configuring GSI Secure Transport ” |
| 7. | Enable GSI Secure Message with specified message protection level. |
Property: org.globus.wsrf.security.Constants.GSI_SEC_MSG Values equal one of the following:
You can set the SOAP Actor of the signed message using the | |
| 8. | Enable WS-Security username/password authentication |
Properties: org.globus.wsrf.security.Constants.USERNAME Value equals the username. org.globus.wsrf.security.Constants.PASSWORD Value equals the password. | |
| 9. | Sets the credential that is used to encrypt the message (typically, the recipient's public key). Used for GSI Secure Message only. |
Property: org.globus.wsrf.impl.security.authentication
.Constants.PEER_SUBJECT
Value equals the instance of The credential object needs to be wrapped in For example, if Subject subject = new Subject();
X509Certificate serverCert =
CertUtil.loadCertificate(publicKeyFilename);
EncryptionCredentials encryptionCreds =
new EncryptionCredentials(
new X509Certificate[] { serverCert });
subject.getPublicCredentials().add(encryptionCreds);
stub._setProperty(Constants.PEER_SUBJECT, subject);
| |
| 10. | Sets the trusted certificates location. |
Property: org.globus.wsrf.security.TRUSTED_CERTIFICATES Value should be a comma separated list of directories and file neams | Refer Section 4.1.2.7, “Configuring trusted credentials ” |
| 11. | Sets the SAML Authorization Assertion to embed in SOAP Headee. |
Property: org.globus.wsrf.impl.security.authentication.Constants.SAML_AUTHZ_ASSERTION Value should be an instance of org.opensaml.SAMLAssertion; | Cannot be configured using descriptors. |
Configuration of service-side security settings can be achieved in two ways. The preferred way is to provide these settings in a security descriptor, although it is also possible to manipulate security settings via CoG properties.
Information on the syntax of security descriptors can be found in Java WS Security Descriptor Framework .
Information on available CoG security properties can be found Section 3.1, “Trusted Certificates Location”
Refer to Section 3, “Configuring” for environment variables.Note that the above environment variable does not supersede any settings provided in security descriptors.
There are two ways a client can delegate its credential to a service: a) using Delegation Service b) using GSI Secure Conversation.
Client can delegate using the Delegation Service. This method is independent of the security scheme used and can be reused across multiple invocations of the client to multiple services (provided the service are in the same hosting envorinment as the delegation service). The link provided has details on client side steps to delegate and service side code to get the delegated credential.
GSI Secure Conversation has delegation built into the protocol. Delegation can be requested by setting the GSIConstants.GSI_MODE property on ther Stub or using security descriptors as described in Section 4.1.2.3, “Configuring GSI Secure Conversation ”. If full or limited delegation is performed, the client credential can be obtained from the message context as follows:
Subject subject = (Subject) msgCtx.getProperty(Constants.PEER_SUBJECT);
The server can be configured such that container, service or client credentials are used for the operation invoked. For the client credentials to be used, client should have delegated the credentials. Configuring this option is described in Section 3.1.6.2, “Configuring the run-as mode”. Note that this is a server side configuration. If caller-identity is chosen for the run-as configuration and the client's credentials have been successfully delegated, then the delegated credentials are associated with the current thread. The credentials in this case can be obtained as follows:
Subject subject = JaasSubject.getCurrentSubject();
The toolikit provides API to embed key information in an Endpoint Reference as defined in the OGSA Basic Security Profile. The key information is embedded in the extensibility element of the EPR rather than the meta-data element as defined in the specification, since the toolkit uses older version of the WS Addressing specification.
This information would be useful to ascertain the expected identity of the service for authorizing the service or to get the public certificate of the resource to be used for encrypting the request to the service. The optional usage element in the emebedded key information indicates the use of the embedded keys, either for signature or encryption.
The API is in class org.globus.wsrf.impl.security.util.EPRUtil. The method to embed the certificates is called insertCertificates and the method to extract the key informationis called extractCertificates. Please refer to API documentation for details on using the methods.
GSI Secure Conversation: With this mechanism, the peer credentials can be obtained once the handshake is completed.
import org.globus.wsrf.impl.security.authentication.Constants; import org.globus.wsrf.impl.security.authentication.secureconv.service.SecurityContext; import org.ietf.jgss.GSSContext; import org.globus.gsi.gssapi.GSSContants; // Get current secure context from message context SecurityContext secContext = messageContext.getProperty(Constants.CONTEXT); GSSContext gssContext = secContext.getContext(); Vector peerCerts = gssContext.inquireByOid(GSSContants.X509_CERT_CHAIN);GSI Secure Transport: With this mechanism, the peer credentials can be obtained once the handshake is completed.
import org.ietf.jgss.GSSContext; import org.globus.gsi.gssapi.GSSContants; import org.globus.wsrf.impl.security.authentication.Constants; // Get current secure context from message context GSSContext gssContext = messageContext.getProperty(Constants.TRANSPORT_SECURITY_CONTEXT); Vector peerCerts = gssContext.inquireByOid(GSSContants.X509_CERT_CHAIN);GSI Secure Message: With this mechanism, the peer credentials can be obtained only when the response is received.
import org.globus.wsrf.impl.security.authentication.Constants; // Get peer subject from current message context Subject subject = (Subject) messageCtx.getProperty(Constants.PEER_SUBJECT); Set peerCerts = subject.getPublicCredentials(X509Certificate[].class);
SAML Authorization assertions can be used to transport authorization decision statements to the point of enforcement. Such assertions can be obtained from any entity that manages use rights. For example, Community Authorization Service, a Globus Toolikit higher level service, can be used to manage user rights and issue such assertions. On the remote side, PDPs/PIPs might be used to extact the assertion and enforce the rights. Some PDPs/PIPs with such functionality are distributed and details can be found PIP Reference and PDP Reference.
The toolkit provides two mechanisms to do this:
Using proxy certificates: In this mechanism the SAML Authorization Assertions are embedded as non-critical assertions in the proxy certificate. These assertions can then be extracted from the certificate, to enforce access rights at the resource.
A command line client
$GLOBUS_LOCATION/bin/globus-embed-assertionimplemented usingorg.globus.wsrf.client.EmbedAssertioncan be used to embed a SAML Assertion stored in a file into a credential.Using SOAP Header: The SAML Assertion can also be embedded in the SOAP Header. The toolkit uses the WS-Security SAML Token Profile to embed the assertion.
Section 4.7.2, “Syntax of the interface” describes configuration required to embded an assertion into the message header. At the remote end, the security handlers detect the presence of the SAML Assertion in the header and store it as string in the Message Context property
Constants.SAML_ASSERTION_STR
Multiple message protection schemes can be used in a single invocation, although it is worth noting that this will cause a performance penalty
For example, both Secure Transport and Secure Conversation can be done on the same invocation by using the following
stub._setProperty(Constants.GSI_SEC_CONV, Constants.INTEGRITY);
stub._setProperty(Constants.GSI_TRANSPORT, Constants.PRIVACY);
| Note |
|---|---|
These two mechanisms share a single property for authorization. There is a bug open to provide independent support: Bug 4350 |
Similarly Secure Message can be used in tandem with other message protection mechanisms.
This error occurs when globus-start-container is run without any valid credentials. Either a proxy certificate or service/host certificate needs to be configured for the container to start up
Solutions:
If you are not looking to start up a container that uses GSI Secure Transport, which is used by the container by default, use "globus-start-container -nosec". You will be able to use insecure clients and services. However, this also implies that if you have not configured individual services with credentials, you will not be able to securely access the service.
If you are running a personal container, generate proxy certificate. If proxy certificate is not in default, configure container security descriptor as described Configuring Container Security Descriptor
If you are looking to use host certificates, configure container security descriptor as described Configuring Credentials
This error occurs if the file path to the container certificate and key configured are invalid.
Solutions:
The path to container certificate and key are configured in $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml. This file is loaded as described here. Ensure that the path is correct.
This error occurs if container proxy file configured is invalid.
Solutions:
The path to container proxy certificates are configured in $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml. This file is loaded as described here. Ensure that the path is correct.
This error occurs if the container security descriptor configured is invalid.
Solutions:
The container security descriptor should conform to the Container Security Descriptor Schema
Refer to the "Caused by: " section for details on specific element that is not correct.
This error occurs if the CA certificate for the credentials being used is not installed correctly.
Solutions:
If this issue occurs on the server side, the container is not configured with CA certificates. The container looks for trusted certificates in default location as described Java CoG Toolkit FAQ
On the server side the trused certificates can be configured as described in Trusted Certificates
On the client side, trusted certificates can be configured as described in Configuring Trusted Credentials
See Section 9, “Associated Standards” for a list of associated standards.